Merge pull request #12294 from Security-Onion-Solutions/jppffa

Jppffa
2025-12-06 09:12:45 +01:00 · 2024-02-01 09:47:18 -05:00
parent e090518b59 ae32ac40c2
commit 3d478b92b2
4 changed files with 24 additions and 9 deletions
--- a/salt/docker/defaults.yaml
+++ b/salt/docker/defaults.yaml
@@ -84,6 +84,13 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
+    'so-nginx-fleet-node':
+      final_octet: 31
+      port_bindings:
+        - 8443:8443
+      custom_bind_mounts: []
+      extra_hosts: []
+      extra_env: []
    'so-playbook':
      final_octet: 32
      port_bindings:
--- a/salt/docker/soc_docker.yaml
+++ b/salt/docker/soc_docker.yaml
@@ -48,6 +48,7 @@ docker:
    so-logstash: *dockerOptions
    so-mysql: *dockerOptions
    so-nginx: *dockerOptions
+    so-nginx-fleet-node: *dockerOptions
    so-playbook: *dockerOptions
    so-redis: *dockerOptions
    so-sensoroni: *dockerOptions
--- a/salt/firewall/containers.map.jinja
+++ b/salt/firewall/containers.map.jinja
@@ -95,7 +95,7 @@
 {% set NODE_CONTAINERS = [
     'so-elastic-fleet',
     'so-logstash',
-     'so-nginx'
+     'so-nginx-fleet-node'
 ] %}

 {% elif GLOBALS.role == 'so-sensor' %}
--- a/salt/nginx/enabled.sls
+++ b/salt/nginx/enabled.sls
@@ -94,17 +94,24 @@ make-rule-dir-nginx:
      
 {%   endif %}

+{# if this is an so-fleet node then we want to use the port bindings, custom bind mounts defined for fleet #}
+{% if GLOBALS.role == 'so-fleet' %}
+{%   set container_config = 'so-nginx-fleet-node' %}
+{% else %}
+{%   set container_config = 'so-nginx' %}
+{% endif %}
+
 so-nginx:
  docker_container.running:
    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-nginx:{{ GLOBALS.so_version }}
    - hostname: so-nginx
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-nginx'].ip }}
+        - ipv4_address: {{ DOCKER.containers[container_config].ip }}
    - extra_hosts:
      - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
-    {% if DOCKER.containers['so-nginx'].extra_hosts %}
-      {% for XTRAHOST in DOCKER.containers['so-nginx'].extra_hosts %}
+    {% if DOCKER.containers[container_config].extra_hosts %}
+      {% for XTRAHOST in DOCKER.containers[container_config].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
@@ -124,20 +131,20 @@ so-nginx:
      - /nsm/repo:/opt/socore/html/repo:ro
      - /nsm/rules:/nsm/rules:ro
      {% endif %}
-      {% if DOCKER.containers['so-nginx'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-nginx'].custom_bind_mounts %}
+      {% if DOCKER.containers[container_config].custom_bind_mounts %}
+        {% for BIND in DOCKER.containers[container_config].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
-    {% if DOCKER.containers['so-nginx'].extra_env %}
+    {% if DOCKER.containers[container_config].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers['so-nginx'].extra_env %}
+      {% for XTRAENV in DOCKER.containers[container_config].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
    - cap_add: NET_BIND_SERVICE
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-nginx'].port_bindings %}
+      {% for BINDING in DOCKER.containers[container_config].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - watch: